The report aims to examine the risk of vulnerabilities in these projects due to widespread use of outdated versions; understaffed projects; and existence of known security flaws. (As the list reveals, many are only sporadically updated).
It comes amid growing concerns in some quarters about the “back-dooring” of open source software code bases, following several recent such attacks.
Jim Zemlin, executive director at the Linux Foundation said: “The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software.”
He added: “Open source is an undeniable and critical part of today’s economy, providing the underpinnings for most of our global commerce. Hundreds of thousands of open source software packages are in production applications throughout the supply chain, so understanding what we need to be assessing for vulnerabilities is the first step for ensuring long-term security and sustainability of open source software.
Software Bill of Materials
It also comes as the US federal governments looks to create a Software Bill of Materials that will require all industries to detail the composition of their software systems.
The census authors note: “There is far too little data on actual FOSS usage. Although public data on package downloads, code changes, and known security vulnerabilities abound, the view on where and how FOSS packages are being used remains opaque.
“Accurate project identification impacts not only academia, but the private sector as well. As cyberattacks and security breaches increase, all companies—not just Big
Tech—will need to become more cognizant of which components comprise their websites and applications, as well as the origins of those components.”
Open Source Census: The Top 10 FOSS Components in Production Applications
The research tapped public data sets and private usage data by Software Composition Analysis (SCAs) and application security companies, including Snyk and Synopsys Cybersecurity Research Center (CyRC), in partnership with the Linux Foundation’s CII to produce the list, with the SCA partners providing data from automated scans of production systems within their customers’ environments.
“FOSS was long seen as the domain of hobbyists and tinkerers. However, it has now become an integral component of the modern economy and is a fundamental building block of everyday technologies like smart phones, cars, the Internet of Things, and numerous pieces of critical infrastructure,” said Frank Nagle, a professor at Harvard Business School and co-director of the Census II project. “Understanding which components are most widely used and most vulnerable will allow us to help ensure the continued health of the ecosystem and the digital economy.